Shows
QPC Security - Breakfast BytesA Deep Dive into SaaS Risks and BackupsJoin Felicia King in this eye-opening episode of Breakfast Bytes as she unravels the concept of third-party information security risk management. Felicia highlights the growing debates around software as a service (SaaS) platforms and the complexities they entail, raising poignant questions about security, backups, and risk.
Dive deep into the intricacies of backups—from on-premise practices to the vulnerabilities introduced with SaaS. Felicia draws parallels between the supply chain practices of ancient times and the critical information security strategies needed in today's digital landscape.
Through vivid storytelling and expert insights, discover why making informed decisions ab...2025-04-3028 minQPC Security - Breakfast BytesMastering Operational Maturity: The Secret to AI SuccessWelcome to another episode of Breakfast Bytes with Felicia King. In this gripping sequel, Felicia delves deeper into the concept of operational maturity and its vital role in driving organizational profitability and AI readiness. If you've ever wondered why achieving consistency in management across departments can be challenging, this episode sheds light on the ubiquitous struggles faced by organizations regardless of size or industry.
Drawing from her extensive 30-year career, Felicia shares eye-opening, real-world anecdotes that reveal the tangible barriers to operational maturity. Imagine a world where processes run smoothly, unaffected by the presence or absence of...2025-03-0127 minQPC Security - Breakfast BytesDriving Cultural Change Toward Profitability and Operational MaturityIn this enlightening episode of Breakfast Bytes, Felicia King draws upon her three decades of business experience to guide us through the crucial steps organizations must take to flourish amidst today's challenges. With a focus on operational maturity, Felicia unravels the strategies businesses need to implement to harness the power of AI without compromising data security.
Explore the pitfalls of inadequate governance in the age of rapidly advancing technologies and discover why the absence of a robust data policy could be detrimental. Felicia also delves into the cultural shifts required within organizations to ensure not only survival...2025-02-2727 minQPC Security - Breakfast BytesMastering the AI Landscape: A Guide for BusinessesIn this episode of Breakfast Bytes, Felicia King delves into the intertwining worlds of AI and technology adoption for businesses. She sheds light on how small and midsize businesses can leverage AI safely and the pivotal role of adopting the right technology. Drawing from three decades of experience, Felicia explores real-world scenarios, such as a 100-person law firm facing a potential $9 million data risk, highlighting the necessity of robust data governance and security measures.
Listeners will gain insight into the vital decisions that executive management teams must make to remain competitive. Felicia discusses the importance of informed...2025-01-3027 minQPC Security - Breakfast BytesSurvive and Thrive in 2025: Empowering Your Team with Continuous LearningIn this episode of Breakfast Bytes, join Felicia King as she sits down with Chris Gross, the Director of Product at Breach Secure Now, to explore the revolutionary impact of continuous education in cybersecurity and productivity.
Discover how Breach Secure Now's unique approach to training empowers managers and employees alike to enhance organizational culture, productivity, and security awareness. Learn why weekly micro-trainings are more effective than traditional annual methods, transforming end-users into informed, accountable team members.
Chris shares the insights into the seamless integration of AI and security training with platforms like Microsoft Teams, and...2024-12-3128 minQPC Security - Breakfast BytesSurvive and Thrive in 2025In this inspiring episode of Breakfast Bytes, Felicia King delves into the pressing strategies businesses need to adopt to thrive in the year 2025. With intriguing insights, Felicia articulates why companies must stay competitive and adapt to the ever-changing landscape—focusing on the integral role of a Chief Technology Officer and the imperative cultural shift towards continuous staff training.
Felicia sheds light on the complexity of finding competent talent, the importance of establishing and enforcing effective policies, and the necessity of blending technology with human oversight. She compellingly emphasizes that regardless of workforce demographics, training needs to become a...2024-12-0427 minQPC Security - Breakfast BytesThe Hidden Risks of Data Centers: A Deep Dive with Dr. Eric WoodellIn this episode of Breakfast Bytes, host Felicia King sits down with Dr. Eric Woodell, founder of Ameris and a leading expert in data center infrastructure and operations compliance. Dive into the world of data centers as Dr. Woodell reveals the shocking truths behind their operations and the risks that could be lurking behind the scenes.
Dr. Woodell shares his journey from nuclear submarines to becoming a key player in the data center industry, highlighting his relentless pursuit of truth and transparency. Discover why he believes that the current standards for compliance, such as SOC 2, may be...2024-11-021h 23QPC Security - Breakfast BytesWhy You Need a CTO: Avoiding Costly Mistakes in Document ManagementIn this riveting episode of Breakfast Bytes, host Felicia King delves into the often overlooked but crucial aspect of business technology: document management platforms. With a sharp focus on how organizations of all sizes can benefit from these systems, Felicia underscores the importance of operational maturity and strategic decision-making.
Through compelling narratives and real-world examples, she illustrates the perils of inadequate technology leadership. From misguided IT directors to costly missteps, Felicia shares stories from her 30-year career, shedding light on the vital role a Chief Technology Officer (CTO) plays in safeguarding a company's resources and ensuring seamless...2024-11-0127 minQPC Security - Breakfast BytesNavigating the Cloud: Unveiling the Hidden Costs and RisksIn this compelling episode of Breakfast Bytes, host Felicia King delves into the complex world of cloud computing, exploring the intricacies of public cloud, private cloud, self-hosting, and premise servers. With insights from a newly recognized expert in the field, this episode promises to challenge conventional wisdom and offer fresh perspectives on hosting decisions.
Felicia unravels the hidden costs and maintenance challenges of managing workloads, whether in the cloud or on-premise. She highlights the significant financial implications and the importance of competent management, urging listeners to reconsider the assumptions surrounding the efficiency and cost-effectiveness of cloud solutions.2024-10-0427 minQPC Security - Breakfast BytesExploring Network Security and AI Threats with Crystal RedmannIn this riveting episode of Breakfast Bytes, host Felicia sits down with Crystal Redmann, the inquisitive Operations Director from Redmann Farms, to dive into the intricacies of network security. Crystal brings forth compelling questions about network segmentation, shedding light on how this fundamental security measure can protect even the smallest of organizations.
As the conversation unfolds, Felicia and Crystal explore the evolving landscape of cybersecurity threats, particularly focusing on the alarming use of AI by cyber criminals. Through vivid analogies and real-life examples, Felicia illustrates the critical need for advanced security measures and the role of zero...2024-08-2328 minQPC Security - Breakfast BytesThe Real Skinny on Penetration Testing: Debunking the MythsWelcome to Breakfast Bytes with Felicia King. Today, we delve deep into the often-misunderstood realm of penetration testing. As business owners grapple with the necessity and costs associated with these tests, Felicia demystifies the process, drawing from her three decades of cybersecurity expertise.
In this episode, discover why traditional penetration testing might just be a costly theater act and learn the importance of continuous vulnerability assessments. Felicia shares compelling anecdotes and practical advice on how to genuinely safeguard your business without burning through your budget.
Join us as we explore the intricate dance between IT...2024-08-1519 minQPC Security - Breakfast BytesLessons from the CrowdStrike outageGood morning and welcome to another episode of Breakfast Bytes. I'm your host, Felicia King, and today, I'm joined by my colleague, Jeff Birner, hailing from Florida. Our riveting discussion centers around the recent CrowdStrike incident that has sent shockwaves through the cybersecurity community and beyond. This episode promises to offer insights and perspectives you won't find in the typical news coverage.
As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader...2024-07-3129 minQPC Security - Breakfast BytesNavigating the AI Frontier: Caution, Control, and OpportunityGood morning, you're listening to Breakfast Bytes, and I'm Felicia King. Today's episode takes a deep dive into the world of artificial intelligence, offering a perspective that challenges the mainstream narrative. Instead of jumping on the AI bandwagon, we'll explore the importance of cautious engagement and risk management when dealing with this powerful technology.
We'll delve into the profound implications of AI, discussing the potential risks and the measures you can take to mitigate them. From the economic challenges of running closed AI systems to the dangers of data leaks and professional pitfalls, this episode covers it...2024-07-0528 minQPC Security - Breakfast BytesUnderstand implications of IT procurement using cabinets as an exampleFelicia stressed the importance of informed decision-making in technology services and products, and the need for involving skilled professionals in decision-making processes. She also discussed the longevity of structural furniture, the challenges in network switch installation, and the need for a formal procurement process in the IT department. Furthermore, she highlighted the issues with current wall-mount cabinets and open racks, the business impact of operations beyond regular hours, the need for proper equipment maintenance, and the importance of having an on-site technical point of contact at every facility.
Action items
• Felicia recommends ensuring the IT de...2024-05-3129 minQPC Security - Breakfast BytesWhat is zero trust cybersecurity?Welcome to an insightful episode of Breakfast Bytes, featuring an in-depth discussion about Zero-Trust Cybersecurity, a vital approach to modern cybersecurity practices. Understand why this network layer protection strategy is essential to guard your business and residential networks against harmful threats.
From a reflective analysis of the cybersecurity landscape four years ago, Felicia highlights the repercussions of a weak cybersecurity posture, emphasizing the necessity of a resilient and efficient cybersecurity stack. She elaborates on the integration of various concepts like endpoint protection product (EPP), endpoint detection and response (EDR), and managed detection and response (MDR) into a...2024-05-1328 minQPC Security - Breakfast BytesIncident response and mitigating supply chain attacksIn this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses.
King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies...2024-05-1328 minQPC Security - Breakfast BytesK12 Technology and Cybersecurity Challenges and SolutionsIn today's episode of Breakfast Bytes, hosted by Felicia King, we delve into the pressing issue of cybersecurity in K-12 education with special guest, Chris Rule, a Technology Director with 25 years of experience. We discuss the urgent need for tangible action in this area and explore operational maturity practices like third-party information security risk management, vendor risk management, vulnerability management, and password management.
A focus of the episode is the need to translate cybersecurity concerns into strategic actions at the executive level. We also discuss the impact of cyber insurance programs and the severe disconnect between cybersecurity...2024-05-0829 minQPC Security - Breakfast BytesPractical example of how operational maturity improves productivity while reducing riskIn this episode of Breakfast Bytes, vCISO Felicia King of QPC Security uses an example of dark web data and how it can be leveraged. She describes how operational maturity in an organization can make that organization more competitive, lower risk, improve collaboration, improve culture and employee retention, while reducing risk.
She explores why actioning relevant, specific data is more critical than simply having it available. Learn how the combination of constant training and right data can effectively reduce risks and add value in a business of any size. These methods are practical for large a...2024-05-0228 minQPC Security - Breakfast BytesUnlocking Strategic IT Investments and Information Security"Unlocking Strategic IT Investments and Information Security: Expert Insights with Gina King" dives into the critical aspects of IT investments and infrastructure. Felicia King, host of 'Breakfast Bytes', engages in a captivating conversation with Gina King, a leading Chief Information Security Officer. The extensive dialogue sheds light on necessary expenditures on Information Systems and Technology, managing and optimizing security investments, and realigning perceptions of IT as a valuable strategic asset.
Through their enriching discussion, Felicia and Gina tackle widespread issues of underinvestment in IT, encouraging businesses to understand and optimize their IT expenditures. Pointing to the risks...2024-04-111h 16QPC Security - Breakfast BytesDomain/DNS hosting, account ownership, security issues and TCOJoin us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains.
https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html
In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses...2024-04-0758 minQPC Security - Breakfast BytesCyber Insurance versus Cyber WarrantyIn today's episode of Breakfast Bytes, we are delighted to have Joe Brunsman from Brunsman Advisory Group as our special guest. Known for his extensive knowledge on the intersecting worlds of insurance and cybersecurity, Joe offers beneficial insights on the evolving sphere of insurance exclusions and how businesses can navigate these changes amidst the increasing threats of cyber warfare. Tune in as we explore the importance of adopting risk mitigation strategies with tangible security investment returns rather than relying solely on insurance coverage.
Join our profound discussion on the role of senior management in establishing a secure...2024-03-251h 25QPC Security - Breakfast BytesDemystifying IT Services and the Shared Responsibility ParadigmWelcome to another eye-opening episode of Breakfast Bytes hosted by Felicia King. In this episode, we dissect prevalent misconceptions in the IT industry particularly regarding services like NOC, SOC, XDR, and SOAR. Explore the conundrum between cybersecurity checkbox exercises and the pivotal need for legitimate risk reduction efforts. Moreover, discover potential pitfalls of co-managed IT and strategies to sidestep them.
We delve extensively into co-managed IT services, illustrating their significance, pitfalls, financial risks associated with improper executions, and real-life challenges and liabilities. Emphasis is also laid on the involvement of the clients and their responsibilities in relevant...2024-03-0133 minQPC Security - Breakfast BytesHow establishing requirements properly results in best outcomesFelicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities.
the importance of vulnerability assessment and management requirements in contracts
It is imperative for resource owners to be designated and held accountable to outcomes.
Exit strategies must be established as part of the procurement process
Lack of right to audit clauses in cloud services contracts
How the lack of...2024-02-0229 minQPC Security - Breakfast BytesOperational Maturity is required to have Information Security Risk ManagementFelicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises.
Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity.
Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? D...2024-01-292h 01QPC Security - Breakfast BytesManaging the impact of changing IT service providersFelicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject.
This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.
2024-01-1929 minQPC Security - Breakfast BytesCMMC and latest DoD memo implications and far reaching effects related to FedRAMPSpecial guest Tobias Musser of MNS Group generously shares with the Breakfast Bytes audience his wisdom and insight into what is a challenging and nuanced regulatory landscape that has far reaching business implications.
https://mnsgroup.com/
A vigorous discussion of the implications of the latest DoD memo about DFARS 7012 FedRAMP or FedRAMP moderate.
FedRAMP Compliance Challenges and Hybrid Approach
Tobias and Felicia discussed the implications of a DOD memo mandating FedRAMP compliance for all products used by a DOD contractor or subcontractor. They explored the potential challenges, especially for small businesses, and the...2024-01-1929 minQPC Security - Breakfast BytesWhy the ship has sailed on BYODTom Dean of Consulting Adventures joins Felicia for part three of the analysis on mobile devices and the problems with them.
OKTA breach, IT admin’s password getting stored in gmail password synced manager
Two-way problems. Personal on business and business on personal
Lack of clarity around device wipe, device use policies, apps running on devices
Compliance is easier when business owns the asset and delineation of ownership of asset and data is clear.
If the configurations are not managed, the cost profile to the company is a lot higher.
Credentials and MFA spill over in both directions
Da...2023-12-0929 minQPC Security - Breakfast BytesThreats to mobile devices and how to manage them, part 2Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Topics:
Apple find my network; useful feature, but privacy considerations
SSO risks where there are too many items that can be compromised if there is a single compromise of a sin...2023-11-2929 minQPC Security - Breakfast BytesPhysical threats to mobile phones, SIM hijacking, out of band SMS, and YubikeysPart 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A l...2023-10-3029 minQPC Security - Breakfast BytesHow to analyze workloads and decide how they should be hostedThe process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
2023-10-0529 minQPC Security - Breakfast BytesHow a lack of understanding of business processes relates to adverse financial impactCTO Kyle Wentworth joins Felicia for a discussion about how businesses can avoid adverse financial impacts.
Lack of understanding of the language of technology
It changes so incredibly fast that it takes a sea of people who understand the pieces
Complete perspective of how the business of technology should be run
Understand what governance and compliance standards your business is held to
That dictates how you do business.
Some tangible examples of how things can and should be done:
Justification statement annually for exp...2023-09-0129 minQPC Security - Breakfast BytesEmail security management and monitoring is criticalWhy it is critical to have an email security expert managing and monitoring email security configurations and delivery of email on an ongoing basis.
Instructions from marketing automation platforms are not adequate.
It matters A LOT what you are trying to do with email. Getting these items configured is an art form.
Vendors are continually failing vendor risk management analysis and losing business over their email not being properly configured.
New website resource: https://kb.qpcsecurity.org
2023-08-0429 minQPC Security - Breakfast BytesCISO, CTO, CIO, what’s the difference?Kyle Wentworth of Wentworth Consulting Group joined Felicia to compare/contrast three C-suite level IT/IS related roles.
Kyle has 35 years of business experience and has been working on computers since 1976. He is a:
Fractional CTO
Business coach
Business process modeler
Kyle has a great resource on his website to help people understand the differences between these C-suite roles.
https://wentworthconsultinggroup.com/cto-cio-ciso-consulting/
Listen to the podcast for some Kyle truth bombs such as:
"Technology runs your business. You don't. We facilitate technology to run our business. IT is...2023-06-1629 minQPC Security - Breakfast BytesZero trust fundamentalsZero trust is not a product you buy.
The problem that most organizations have is that they are still not doing the fundamentals well.
CIS has a community defense model.
I did a detailed webinar on it where I covered a lot of these fundamentals.
https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/
Let's look at inventory management, asset management, change management, onboarding and offboarding.
You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by...2023-06-0229 minQPC Security - Breakfast BytesFTC SafeguardsRule, IRS requirements, and tax preparersThe IRS regulations for tax preparers being compliant with the FTC Safeguards rule is specified to be enforced starting in June 2023. It is doubtful that the majority of tax preparers are adequately compliant.
The IRS published information about this compliance requirement as far back as 2019.
https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan
All of it is common sense and things that orgs should have been doing for ages.
IRS publication 4557
https://www.irs.gov/pub/irs-pdf/p4557.pdf
Before you use a tax preparer, ask them for their...2023-05-0529 minQPC Security - Breakfast BytesMethods to prevent business email compromiseMethods to prevent business email compromise.2023-03-3129 minQPC Security - Breakfast BytesBusiness survival over the next decadeWhat is the number one thing you can do as a consumer to protect yourself when dealing with tax preparers?
Practical examples of what to ask for from your tax preparer and why.
What are the total number of people that would have access to my records if I do business with you? You want me to sign a contract with you, terms and conditions that I have to abide by. If you are going to prepare my taxes, show me your affirmation statement where you as a tax prep preparer have put it in writing that...2023-03-0329 minQPC Security - Breakfast BytesPSA or ERP - paradigm and requirements analysisI get a lot of questions about PSAs, ERPs, and overall paradigms related to core business software. This podcast summarizes things you should be thinking about in your software selection process.
After three years of investigating PSA and ERP options including spending a lot of money on software and payroll, the product we like is Odoo. Organizations using a PSA with add-ons approach are really missing the mark. There is no PSA that does project management well. None of them have accounting systems. Most of them are terrible at quoting. And they are all expensive. They also...2023-02-1950 minQPC Security - Breakfast BytesTech E&O and cyber insurance with Joe BrunsmanTech E&O and Cyber insurance with:
Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance
YouTube channel – Joseph Brunsman
https://www.youtube.com/@JosephBrunsman
https://www.thebrunsgroup.com/
Damage Control book
https://www.thebrunsgroup.com/book2
Tech E&O and cyber
MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his cust...2023-02-091h 00QPC Security - Breakfast BytesImplications of poor design on security - an exampleGoogle and how they do their technology
Things that make security hard.
This is not an exhaustive list of the implications of poor design on security. Covering that topic adequately would likely rival the size of War and Peace. This is a discussion of a tangible example to convey understanding of how technology selection directly correlates to an organizations’ ability to secure or secure their overall environment. In order to accommodate something poorly designed, larger than necessary holes through security may need to be carved. Please get your CISO and security architect to perform a risk assessment te...2023-02-0329 minQPC Security - Breakfast BytesDark web monitoring and avoiding FUD decisionsKathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring
Scenario: FUD report from a competitor
Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.
Good: Customer told their current IT service provider about the report.
FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales...2023-01-111h 50QPC Security - Breakfast BytesThe relationship between proper data handling and real risk reductionThose who listened to the November 19th, 2022 podcast I did with breach attorney Spencer Pollock know that he stated that 90% of the breaches he was involved in over the prior 12-month period would have been non-reportable had the data been properly encrypted.
https://qpcsecurity.podbean.com/e/what-you-must-do-in-order-to-prepare-for-a-breach/
(Review link above for attestation and regulatory enforcement proof.)
I have three major points for you in this show.
You need an IRP
You need a CvCISO
And you need to understand how data is being handled in your organization
Let’s first talk ab...2023-01-0429 minQPC Security - Breakfast BytesUnderstanding vCISO services and why you need themRecent question I got:
What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading?
Quick response:
For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity.
Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled.
C-suite needs to drive it from the end in mind. The end...2022-11-3029 minQPC Security - Breakfast BytesWhat you must do in order to prepare for a breachBreach attorney, Spencer Pollock joins Felicia for a vigorous discussion of what you must do in order to be prepared for an incident or breach. Learn from the breach attorney perspective.
Spencer is with the well-known firm McDonald Hopkins.
Policies
preparation
incident response plan
tabletop exercises
must get breach attorney involved before there is an incident
determine your team in advance
What's new?
regulatory enforcement
multi-state class action lawsuits
attorney generals getting together to class action effort
Regulators DIG
They want to see your policies.
You must demonstrate your administrative, physical, and te...2022-11-1939 minQPC Security - Breakfast BytesInformation Security, Cybersecurity, and Everyone’s ResponsibilityWhat is information security versus cybersecurity?
What are policies and why do we care?
Isn't that IT's problem?
Examples to learn from
2022-10-2829 minQPC Security - Breakfast BytesRipping apart cybersecurity insuranceSpecial guest:
Vince Gremillion – President and Founder of Restech: CISSP, CvCISO, GCIH
Overview
Travelers policy – requires MFA on switches. They require you comply with the intent of that.
Recent Cowbell application did not require MFA!
What is required is contingent upon the coverage you are asking for.
Some suggestions:
Never fill out an app for a client, not even partially
MSP comms to a client should be in a document in a detailed format and it should be digitally signed and locked for editing through that digital signature. I us...2022-10-1258 minQPC Security - Breakfast BytesCISO WorkflowsFrank Raimondi, VP of Channel Development at IGI Cyber Labs
IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment.
PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test.
CEO buyer’s journey
Security velocity
Risk scoring is part of security velocity
Improve your cyber-hygiene – all small businesses
Security 101 is inventory 101
Cysurance – warranty and liability company
It’s good that insurance companies are trying to be more objective about the real risk metrics. Get...2022-09-3047 minQPC Security - Breakfast BytesBusiness Email CompromiseKen Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months!
I asked Ken to cover with me some topics that from his perspective don’t get talked about enough.2022-09-2949 minQPC Security - Breakfast BytesVulnerability management with Felicia and Dan - Part 2This episode of Breakfast Bytes is Part 2 of a series where Felicia King and Dan Moyer of QPC Security continue their conversation on Vulnerability Management. Listen to Part 1 at https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/.
In today’s episode, Felicia and Dan discuss vulnerability management workflows, supply chain risk management, starting with security on the front end rather than retrofitting, and proper patch management.
Workflow management
01:10 CISO-related (Chief Information Security Officer) workflows are at the core of what is today’s necessity, and we will only see it become more mandatory within the next couple of years...2022-09-2254 minQPC Security - Breakfast BytesFile integrity checks (hashing) versus communications or data encryptionWe have seen some really goofy cybersecurity insurance application questions. It is always best to not answer a question that is goofy, but instead to write an addendum that defines terms and explains the cybersecurity posture of an organization related to the topic. You need to try to figure what the insurance company was trying to evaluate rather than just answering their questions because their questions are frequently not suitable for yes/no answers.
Greg Cloon joins me to discuss this topic.
We also touch on when you would use file hash integrity checking, when...2022-09-2129 minQPC Security - Breakfast BytesVulnerability management that every business decision maker needs to know about - Part 1Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.
Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.
Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to t...2022-09-131h 03QPC Security - Breakfast BytesSigns of insufficient networking knowledgeScenario 1
Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment
Questions we actually got:
On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work.
Then later, the...2022-07-1732 minQPC Security - Breakfast BytesAbout Password ManagersMore than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.
Some other needs which must be met are:
Compliance attestation documentation
Proper use of the best MFA method on a per resource basis
Aligning business continuity objectives with cybersecurity objectives
Developing procedures for staff on how to use the company password manager system properly
Aligning procedures with information security policy
Developing/enhancing information security policy
End user awareness training around credentials, MFA, password management
and more
2022-07-1633 minQPC Security - Breakfast BytesRequirements for premise hosted assets; cybersecurity, BCDR, and moreYou should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise.
Cloud hosted assets have additional risks.
Counterparty risk
Additional outage and accessibility risk
You have less control
You have less security over the human or governmental access to your content
Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about.
Also do NOT get sucked into the scam that cloud...2022-07-0129 minQPC Security - Breakfast BytesVirtual Patching, Telecom Fraud, Running VM Server on NASI got a request to post this podcast from 12/1/2018 to podbean. Here it is.
2022-06-0329 minQPC Security - Breakfast BytesVideo management system appliance analysisOriginally aired: 11/1/2018.
I had a request to post this older podcast to Podbean, so here it is.
VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version.
https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf
2022-06-0329 minQPC Security - Breakfast BytesWhy real server hardware is usually the most cost-effective optionI got a request to publish a podcast I did a few years back on podbean, so here it is. Originally this was from 10/19/2018.
Usually there is no substitute for real server hardware. Attempts to pay less for server hardware almost always end up costing you more in the long-run.
Windows 10 as of Build 1809 10/2/2018 has an IPv6 requirement. There are a bunch problems with that.
We cover the option of running an ACS Appliance instead of building your own ACS VMS using a real server. We will go into more detail a...2022-06-0329 minQPC Security - Breakfast BytesResources for job candidates in cybersecurity - What you need to do to be employableOverview
Listen to the podcast or the list of these resources may not make sense to you. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I know. I've been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy.
I'm always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in I...2022-06-0129 minQPC Security - Breakfast BytesRight-sized softwareAmazing interview with Colin Ruskin, CEO of WorkOptima, on the topic of right-sized software.
Colin has an incredible talent at being able to distill the truth of something into a catchy and memorable tagline using spot on metaphors.
Some highlights:
Can I actually use the software and benefit from it?
Floors versus software that grows with you
All features all the time, but license it at the per-user
Enterprise drama and enterprise mindset which is not really trying to sell to the SMB market and is really trying to break into the SMB market...2022-05-171h 11QPC Security - Breakfast BytesHow to achieve compliance for privileged account managementCybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?
Examples of things you might access:
switches
firewalls
servers
printers
workstations
DNS hosting
website hosting
cloud management portals
NAS
BCDR appliances
There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.
- Passwordstate remote integrated proxy authentication
- tiered access control
- compensating controls as an alternate for MFA
- access portals with MFA
- privileged a...2022-05-0429 minQPC Security - Breakfast BytesAPI Security and external vulnerability scanningAPI Security is going to be the thing you need to be paying attention to in the next two years.
Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work.
A great API scanner https://www.wallarm.com/
RMM security topics/tactics
Either fund your IT security or decide to go out o...2022-04-0129 minQPC Security - Breakfast BytesWorking with a Breach Coach/Attorney - A PrimerCyberlaw podcast
What needs to be pre-documented for the breach attorney to be effective? And in what format?
What to do to protect yourself from outrageous fees?
What to do in order to get proper service from a breach attorney?
What are the advantages of having a pre-established relationship with a breach attorney?
What positive outcomes arise from having pre-breach meetings with a breach attorney?
3/24/2022
Spencer Pollock – Cybersecurity breach attorney
Felicia King – QPC Security, Security Architect and Information Security Officer
What needs to be pre-documented for the breach attorney to be ef...2022-03-2947 minQPC Security - Breakfast BytesAvoiding real estate theft, deed theft, and related scamsCheck out dark patterns for scam awareness.
https://www.darkpatterns.org/
Avoid the new movers mailing list
Avoid putting real estate in your personal name
Use a service like Abine DeleteMe
Get a PO Box and stop having snail mail delivered as much as possible
Subscribe to paperless billing as much as possible
Harden your digital life
Get off social media and stop sharing your life in public digital media
Be aware of deed fraud and how to verify that no one has stolen your deed.
Be aware of how foreclosure rescue scams are p...2022-03-0329 minQPC Security - Breakfast BytesAttestation, scoring, evaluation, and business process in achieving improved cybersecurity posture and complianceJoy Beland joins Felicia to discuss:
What Edwards Performance Solutions is doing in the CMMC training space
Joy's team created the CMMC assessor textbook
Many orgs have cybersecurity insurance enforcement for the first time ever
Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins)
Transfer of risk and economic destruction
DMARC, DKIM, SPF tuning
What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence?
IS policies and processes are required as part of the proof mechanism
Mechanisms to actually evaluate risk so that business leaders can make effective...2022-01-2445 minQPC Security - Breakfast BytesIntegrated IT risk management - part 2Identity theft via insecure credit APIs
Integrated IT risk management part 2
2021-12-3129 minQPC Security - Breakfast BytesAssessments and Integrated IT Risk Management - Part 1Problems with and limitations in many assessments
Many assessment report results from automated tools can be incomplete, incorrect, or pretzel talk
What realistic expectations should you have from a paid and unpaid assessment
There are certain security baselines simply so your organization can be insurable.
There are certain security baselines in order for your organization to be serviceable by an IT service provider.
Small organizations can easily find themselves spending $50,000 that they don't have in order to recover from a cybersecurity event.
It's not just about money. Are you sure that you can get access to all the personnel in...2021-12-0329 minQPC Security - Breakfast BytesTechnical Debt - a whole new perspective10/28/2021
Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt.
Senior Director of Security and Compliance at Pax8.
You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.”
Where th...2021-10-2935 minQPC Security - Breakfast BytesAvoid cybersecurity insurance fraudHow to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.
You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.
Great article showing a claims denial and then accompanying lawsuit for a perceived insurance fraud indicent.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm
2021-09-2528 minQPC Security - Breakfast BytesWhy converged NOC and SOC are so critical to security efficacyJoining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively.
When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for...2021-09-1347 minQPC Security - Breakfast BytesAct now so your emails will still be deliverableNDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC.
This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains.
You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders.
It's time to push back on their incompetence. Get your VISO involved and...2021-09-0722 minQPC Security - Breakfast BytesGaps in EDR/EPP paradigms and what to do about themExcellent and invigorating discussion on the gaps in EDR/EPP and what to do about them with Maxime Lamothe-Brassard, founder of LimaCharlie.io and Refraction Point.
LimaCharlie
avoiding tool proliferation
avoiding the jedi mind trick of EPP
identify gaps in a lot of EDR/EPPs
challenges with outsourced SOC
supply chain risk in toolset vendors
paradigms around security tools and training
2021-08-3140 minQPC Security - Breakfast BytesKaseya VSA breach analysisWhy the breach happened and what people could have done to prevent it.
What Kaseya could have done differently.
How to manage supply chain risk when your software vendor is not.
Smart vendors use the experts in their customer base.
People really need to have a major paradigm shift and look seriously at an RMM as being nearly the same as a nuclear launch code.
Kaseya VSA Limited Disclosure | DIVD CSIRT
2021-08-1629 minQPC Security - Breakfast BytesParsing out the risk issues associated with cloud technologiesImproper use of cloud and the problems caused by improper pre-planning and risk assessment of improper use of cloud.
Kim Nielsen, founder and President of Computer Technologies, Inc. cti-mi.com joins Felicia to discuss dangers and risk of improper use of cloud hosted technologies.
Business risk vs security risk, must have an exit plan. Dangers of subscriptions.
Huge databases don't belong in the cloud because it is not more secure.
https://www.infosecurity-magazine.com/news/over-60-million-americans
2021-08-0630 minQPC Security - Breakfast BytesThe REAL reason you cannot afford to have a cybersecurity incidentI have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.
As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance...2021-08-0630 minQPC Security - Breakfast Bytes11 security vulnerabilities highlight the necessity of viable network layer security strategyTopics:
facial recognition
Systems with Windows Defender compromised
11 recent security vulnerabilities highlight the necessity of viable network layer security strategy
https://www.msn.com/en-us/news/us/fbi-ice-find-state-driver-s-license-photos-are-a-gold-mine-for-facial-recognition-searches/ar-AADZk0d?li=BBnb7Kw
https://www.newstarget.com/2019-07-29-americans-already-in-fbi-facial-recognition-database.html
https://www.forbes.com/sites/daveywinder/2019/07/31/windows-10-warning-250m-account-takeover-trojan-disables-windows-defender/#325add6f6fef
Why network layer security and microsegmentation is critical
Also why to use a good quality security appliance
https://armis.com/urgent11/#foobox-4/0/bG6VDK_0RzU
URGENT11...2021-08-0429 minQPC Security - Breakfast BytesReal world examples of small business security compliance problemsReal world examples of small business security compliance problems
Originally aired 5/1/2020
2021-08-0429 minQPC Security - Breakfast BytesEvaluate your purchases to see if they have UPnP and understand why you should not buy devices that use UPnP technologyEvaluate your purchases to see if they have UPnP and understand why you should not buy devices that use UPnP technology
Update on the Capital one data breach
Adverse business impact and higher fees associated with subscription based software licensing versus perpetual
Originally aired: 7/3/2020
2021-08-0429 minQPC Security - Breakfast BytesHow easy is it to not get hacked?How easy is it to not get hacked?
Originally aired 9/4/2020
2021-08-0429 minQPC Security - Breakfast BytesLocation services issues and how it relates to personal physical securityLocation services issues and how it relates to personal physical security
Originally aired 1/3/2020
2021-08-0329 minQPC Security - Breakfast BytesEmail security and cyber risk insuranceEmail security and cyber risk insurance
Originally aired 10/11/2019
2021-08-0329 minQPC Security - Breakfast BytesThe dark side of smart citiesThe dark side of smart cities
A clothing line designed to distract the panopticon
Geofencing warrants
Horror stories of hospital IN-security
Originally aired 9/6/2019
2021-08-0329 minQPC Security - Breakfast BytesWhy bidding out IT jobs often failsWhy many IT business decision makers make mistakes
Over 25 years, bar none, the business decision makers that have regular meetings with us are vastly better decision makers. This directly leads to them saving money by not wasting money.
Why bidding out IT jobs often fails
2021-08-0329 minQPC Security - Breakfast BytesSIM JackingSim jacking
More AWS data breaches affect hundreds of thousands of people
Hacking using smart light bulbs
IoT bricker
MFA options
https://simjacker.com/
https://www.sciencedaily.com/releases/2019/10/191023075139.htm
Originally aired 11/1/2019
2021-08-0329 minQPC Security - Breakfast BytesVehicles and privacy issuesVehicles and privacy issues
Originally aired 2/1/2020
2021-08-0329 minQPC Security - Breakfast BytesWireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategiesWireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies
Originally aired 3/6/2020
2021-08-0329 minQPC Security - Breakfast BytesWhat to do in the event of a cyber attackI read an article authored by two IT people where the article provided what I felt was a bunch of misinformation about what to do in the event of a cyberattack.
I'm not disclosing here who the authors were or providing a link. Instead I thought the best approach was to provide direct actionable intel on what to do in the event of a cyberattack that counteracts the misinformation in the article.
2021-07-2731 minQPC Security - Breakfast BytesPrintNightmare and business riskWhat did you do about the PrintNightmare vulnerability? I describe what we did at QPC Security and for our clients. I also discuss how business owners and executive management can use IT steering committees to make sure that information technology decisions are being made properly and their risks are being mitigated. I often see poor, uninformed decisions being made that lead to massive adverse business financial impact that were completely avoidable by simply using a decision process that is not flawed.
Listen in to learn more about using good decision-making practices that will protect you from financial...2021-07-1729 minQPC Security - Breakfast BytesTough talk about cybersecurity insurance and ransomware incidentsI discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained.
I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. And I am including a list of questions below for you to ask your cybersecurity insurance provider.
Scenario:
Customer of IT service provider has their own insurance p...2021-07-0229 minQPC Security - Breakfast BytesUnderstanding the concepts of the last mile and the last inchWatch this excellent video: The Last Inch – Solari Report
Hyper Precise location services
Verizon unveils Hyper Precise Location service in more than 100 markets | VentureBeat
Apple iPhone is constantly taking pictures of you if you use face unlock
Apple Tech is Constantly Spying on You (renegadetribune.com)
Good reference article on the Colonial Pipeline attack
From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack? | SOCRadar® Cyber Intelligence Inc.
CHD Sues FCC to...2021-06-0330 minQPC Security - Breakfast BytesExposed Colonial PipelineBarb Paluszkiewicz Chief Executive Officer of CDN Technologies and Felicia King of Quality Plus Consulting discuss the Colonial pipeline cybersecurity incident.
What would you do if it happened to you?
Lessons learned
Great examples of how to avoid this happening to you
Felicia was a guest on Barb's KNOW Tech Talk podcast. It is posted here also for accessibility.
2021-05-2846 minQPC Security - Breakfast BytesPrivacy problems with IoT and wearables and bluetoothPrivacy problems with IoT and wearables
Bluetooth
Ransomware guidance from US Treasury
Bluetooth BLUR attacks
https://hexhive.epfl.ch/BLURtooth/
Bluetooth range estimator
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/range/#estimator
Treasury warns that paying ransomware is a crime
https://www.insurancejournal.com/news/national/2020/10/01/584906.htm
How to upgrade the technology firmware in your automobile
2021-04-3029 minQPC Security - Breakfast BytesHackers compiled data from a bunch of breaches and it's in a reusable scriptSchool cybersecurity attacks
automated hack strategy
2021-04-3029 minQPC Security - Breakfast BytesWhat is zero trust cybersecurity?Zero trust cybersecurity posture concepts
How many agents should be on an endpoint?
Examples of some good products we should use and why
Concepts of the technology security stack
2021-04-3029 minQPC Security - Breakfast BytesWhat is involved in a secure endpoint strategy?Overview of the secure endpoint strategy
The CIA you care about – confidentiality, integrity, and availability of the data on and accessed by your technology systems
You need strategies effective a protecting against the efforts of nation state actors and large criminal enterprises
Your bank account, identity, business, and mental health are at stake
What security posture strategy works now?
Who do you partner with and vet or assess them?
It is not about simply selecting the technology. It is much more about the partner who services you.
Zero-trust posture coupled with the proper services
Welcome to...2021-04-3028 minQPC Security - Breakfast BytesAssessing and understanding counterparty riskCounterparty Risk
Solarwinds hack and how it related Dominion voting machines
Juice jacking - don't use public charging stations
Juice jacking: Why you should avoid public phone charging stations (nbcnews.com)
SolarWinds Exposed FTP Credentials Publicly in a Github Repo (ampproject.org)
IoT Cybersecurity improvement act
Text - H.R.1668 - 116th Congress (2019-2020): IoT Cybersecurity Improvement Act of 2020 | Congress.gov | Library of Congress
Trickbot UEFI bios mods
One of the Internet’s most aggressive threats could take UEFI malware mainstream | Ars Technica2021-04-3029 minQPC Security - Breakfast BytesThe most secure helpdesk is the one that is not outsourcedChallenges with having baseline 101 level quality IT services
Beware of outsourced help desks
Items to use to assess your IT services provider
The most secure help desk outsourcing is no help desk outsourcing.
There are many ways in which help desk outsourcing can create compliance and security violations.
How Help Desk Outsourcing Undermines Your Security | IT Pro (itprotoday.com)
The user's identity should be validated when they are calling for support. We use a system where end users have supp...2021-04-3029 minQPC Security - Breakfast BytesIncident response and mitigating supply chain attacksEvaluating counterparty risk
How supply chain attacks can be defeated
What is a realistic cost for incident response?
2021-04-3029 minQPC Security - Breakfast BytesPatching strategy and lessons from the Exchange HAFNIUM attackExchange HAFNIUM attack
Pretty much every Exchange server on the planet got hacked that was internet accessible without protections in front of it
Anything that does not have MFA protections in 2021 is going to be hacked, especially if it is accessible from the internet
Not having MDR and THIS with zero trust posture is just not acceptable
Yes this is increasing the cost substantially, but your alternative is what?
It is possible to proxy the traffic ingressing to the Exchange server and inspect that for IPS signatures
Fireboxes Detect HAFNIUM Attacks in the Wild | Secplicity...2021-03-3129 min